Block renderer-initiated main frame navigations to data URLs

content/renderer/render_frame_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_frame_impl.h"
 
 #include <map>
 #include <string>
 #include <utility>
 #include <vector>
@@ skipping 4689 matching lines @@
   if (!default_value)
     return false;
 
   bool blocked = true;
   Send(new FrameHostMsg_Are3DAPIsBlocked(
       routing_id_, url::Origin(frame_->top()->getSecurityOrigin()).GetURL(),
       THREE_D_API_TYPE_WEBGL, &blocked));
   return !blocked;
 }
 
+bool RenderFrameImpl::allowInsecureDataUrlNavigations(
+    const blink::WebURL& url) {
+  // Error pages can navigate to data URLs.
+  return url.string() == kUnreachableWebDataURL;

[nasko, 2017/04/05 23:55:19]

Given this implementation, naming this method
"allowContentInitiatedDataUrlNavigations" sounds a bit better to me. Error pages
are pretty much secure as they are local : ).

[meacer, 2017/04/06 01:25:42]

Done.

+}
+
 blink::WebScreenOrientationClient*
     RenderFrameImpl::webScreenOrientationClient() {
   if (!screen_orientation_dispatcher_)
     screen_orientation_dispatcher_ = new ScreenOrientationDispatcher(this);
   return screen_orientation_dispatcher_;
 }
 
 void RenderFrameImpl::postAccessibilityEvent(const blink::WebAXObject& obj,
                                              blink::WebAXEvent event) {
   HandleWebAccessibilityEvent(obj, event);
@@ skipping 2252 matching lines @@
       policy(info.defaultPolicy),
       replaces_current_history_item(info.replacesCurrentHistoryItem),
       history_navigation_in_new_child_frame(
           info.isHistoryNavigationInNewChildFrame),
       client_redirect(info.isClientRedirect),
       cache_disabled(info.isCacheDisabled),
       form(info.form),
       source_location(info.sourceLocation) {}
 
 }  // namespace content